Title: Protecting Microsoft Networks with ISA Server 2004
1Protecting Microsoft Networks with ISA Server
2004
- Enhanced Exchange/
- VPN Support
- By Thomas W. Shinder, M.D.
- ISAserver.org
- TACTEAM
2Traditional Firewall Security
Packet Filters worked great!
CEO Is our network secure? PIX Admin Yes,
Ive configured packet filters to block all
attacks PIX IS SECURITY
3Whats on Tap
- Informal presentation
- Whats new and improved in Exchange Server remote
access connectivity and protection - Whats new and improved in the ISA Server 2004
VPN Server and Gateway
4ISA Server 2004 Enhanced Exchange Server
Protection
- Forms-based authentication
- Improved Exchange Publishing Wizard
- Support for OMA/ActiveSync Publishing
- RADIUS support for OWA Web Publishing scenarios
- SSL to SSL Bridging
- HTTP Security Filter protects SSL connections
(SSL to SSL bridging)
5ISA Server 2004 Forms-Based Authentication
- Prevents caching of credentials
- Controls sessions time-outs
- Closes connection when user leaves site
- Prevents attachment access or viewing
- Delegates Basic authentication
- Supports all versions of Exchange
6ISA Server 2004 Enhanced Exchange Publishing
Wizard
- Publish OWA/OMA/ActiveSync
- Intuitive connection bridging interface
- Certificates actually appear in console!
- Create Web listeners on the fly
- Does the rule configuration heavy-lifting"
- Still need to prepare the network infrastructure
to make it all work
7ISA Server 2004 Support for OMA/ActiveSync
Publishing
- Adds /OMA/
- Adds /Microsoft-Server-ActiveSync/
- Still need to configure the network
infrastructure and split DNS - Also need to configure Exchange Server SSL and
authentication settings
8ISA Server 2004 RADIUS Support for OWA Publishing
- Use RADIUS to authenticate remote OWA users
- ISA Server 2004 does not need to be member of the
domain - Not supported for Forms-based authentication
- Use IPSec between ISA Server 2004 box and RADIUS
server (PAP used)
9ISA Server 2004 SSL to SSL Bridging
- Client terminates SSL at the ISA Server 2004
firewall - ISA Server 2004 firewall initiates second SSL
link to Exchange Server - ISA Server 2004 firewall inspects connection
while in transient unencrypted state - SSL to HTTP also supported (not recommended)
10ISA Server 2004 HTTP Security Filter Protects
OWA/OMA/ActiveSync Connections
- SSL to SSL encryption breaks open the SSL tunnel
- HTTP Security Filter examines HTTP data moving
through the tunnel - Can control virtually any aspect of the
connection and block based on variety of
characteristics
11ISA Server 2004 Enhanced VPN Server and Gateway
- Support for IPSec Tunnel Mode for
interoperability - User/Group based access control from VPN clients
to any other location - Lock down VPN client access only to required
resources - User/group based access control also possible for
VPN site to site links - VPN SecureNAT client now supported!
12ISA Server 2004 IPSec Tunnel Mode Support
- Weve been waiting for this for years
- Supports IPSec tunnel mode with multiple third
parties Cisco/Checkpoint/Netscreen - Not as secure as L2TP/IPSec
- Detailed configuration article available when
product releases
13ISA Server 2004 User/Group based Access Control
for Remote Access VPN Clients
- VPN log on credentials used for access control
- Limit access to specific servers
- Limit access to specific protocols
- Limit access to specific content
- Limit access to specific servers, using specific
protocols to obtain specific content - Log all VPN remote access client connections
user information included
14ISA Server 2004 User/Group based Access Control
for Site to Site Links
- Great for branch office scenarios
- Limit branch office users to specific resources
on the main office corpnet - Log on traffic, Exchange, File servers, and
thats it - Granular access control based on user group
15ISA Server 2004 VPN SecureNAT Client Support
- Full Internet access for VPN clients
- ISA Server 2004 required Firewall client
- And/or Web Proxy client
- Can still use Firewall and Web Proxy client
- Enhance security and protocol support when VPN
clients configured as Firewall and Web Proxy
clients
16ISA Server 2004 Exchange and VPN Summary
- ISA Server 2004 Rocks
- FBA and RADIUS pumps up the security volume on
ISA Server 2004 remote access Exchange Server
security - New VPN features make ISA Server 2004 VPN servers
and gateways best of breed for protecting
Microsoft networks
17ISA Server 2004 For More Information
- Buy my book!
- ISA Server 2004 Configuration Guide
- ISA Server 2004 Branch Office Kit
- ISA Server 2004 Exchange Server Kit
- ISA Server 2004 VPN Kit
- ISA Server 2004 Quick Start Guide
- www.isaserver.org
18- www.msfirewall.org/isa2004kits.htm